Methods and apparatus include securely launching a web browser from a privileged process of a workstation to minimize enterprise vulnerabilities. The workstation includes a restricted-capability web browser pointed toward a web server. An executable file is wrapped about the browser and imposes restrictions, such as preventing the writing to a registry or installing ActiveX controls. It also has functionality to prevent users from linking to web locations in other than an https protocol or following links beyond an original host. Upon indication of a forgotten password/credential, the restricted-capability web is launched browser toward a web server. Upon authentication of identity, the user changes their password/credential for later logging-on to the workstation, but in a capacity without the limited functionality or the imposed browser restrictions.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A computing device, comprising: one or more hardware processors configured to implement: a web browser; a user account with limited-functionality on the computing device, configured for imposing restrictions on capabilities of the web browser, where the restrictions on capabilities of the web browser are imposed by an executable file wrapped about the web browser; and a dynamic linked library configured to query a user as to whether the user forgot a password or other credential to log-on to the computing device and to log onto the user account with limited-functionality to launch the restricted-capability web browser toward a web server.
2. The computing device of claim 1 , wherein the limited-functionality user account is configured to force the web browser to use an https protocol as part of the imposed restrictions.
3. The computing device of claim 2 , further including a registry configured to be read by the executable file, the registry storing a location of the web server for pointing the restricted-capability web browser toward upon launch.
4. The computing device of claim 1 , further including a logon window for a user to log-on to the computing device from a privileged process.
5. The computing device of claim 1 , further including a directory server communicating with the web server to authenticate the identity of the user.
6. The computing device of claim 5 , further including an authentication server communicating with the directory server, the authentication server to synch a new user password with the workstation.
7. The computing device of claim 2 , wherein the dynamic linked library, the executable file and the web browser reside on the computing device.
8. A computer program product stored on a non-transitory computer readable medium of a computing device, comprising: a first component configured to enable the creation of a limited-functionality user account on the computing device on-the-fly or earlier upon installation by a system administrator; and a second component having a dynamic linked library configured to query a user as to whether the user forgot a password or other credential for logging-on to the computing device and, upon the user affirmatively indicating forgetting the password or other credential, to log onto the limited-functionality user account to launch a restricted-capability web browser toward a web server; and a third component having an executable file configured to wrap about the web browser to impose the restrictions on capabilities of the web browser.
9. The computer program product of claim 8 , wherein the second component dynamic linked library is configured to log onto the limited-functionality user account and invoke the executable file to launch the restricted-capability web browser.
10. The computer program product of claim 9 , wherein the second component dynamic linked library is further configured to force the restricted-capability web browser to use an https protocol as part of the imposed restrictions on capabilities of the web browser.
11. The computer program product of claim 8 , further including a fourth component configured to prevent the user from linking to a web location in other than the https protocol or following links to hosts other than the web server and/or to prevent the web browser from writing to a registry or installing ActiveX controls.
12. In a computing system environment having pluralities of computing devices arranged for an enterprise, a method of securely launching a web browser from a privileged process of a computing workstation of a user to minimize vulnerabilities to the enterprise, comprising: creating a limited-functionality user account for use via the computing workstation; querying the user as to whether the user forgot a password or other credential for logging on to the workstation; and upon receipt of the user affirmatively indicating the forgetting, logging onto the created limited-functionality user account to launch a restricted-capability web browser toward a web server whereby, upon authentication of an identity of the user via the restricted-capability web browser, the user can change the password or other credential for later logging-on to the workstation in a capacity without the limited function of the created user account and the imposed restrictions on capabilities of the web browser wherein the logging onto the limited-functionality user account invokes an executable file wrapped about the web browser to impose the restrictions on capabilities of the web browser.
13. The method of claim 12 , further including forcing the restricted-capability web browser to use an https protocol.
14. The method of claim 13 , further including preventing the user from linking to a web location in other than the https protocol or following links to hosts other than the web server at a time when the created user account with limited function is being used.
15. The method of claim 12 , further including preventing the web browser from writing to a registry or installing ActiveX controls at a time when the created limited-functionality user account is being used.
16. The method of claim 12 , wherein the invoking the executable file to launch the web browser further includes invoking the web browser through an IWebBrowser2 control.
17. The method of claim 12 , wherein the creating the limited-functionality user account-occurs on-the-fly or earlier during installation by a system administrator.
18. The method of claim 17 , further including creating a random password and, if the creating the user account occurred said on-the-fly, creating the user account with the created random password.
19. The method of claim 17 , further including creating a random password and, if the creating the user account occurred said earlier during installation by the system administrator, changing a first password of the created user account to that of the created random password.
20. The method of claim 12 , wherein the logging onto the created user account further includes using a dynamic linked library for the invoking the executable file to launch the web browser toward the web server.
21. The method of claim 20 , wherein the dynamic linked library calls a CreateProcessAsUser API for the invoking the executable file to launch the web browser toward the web server.
22. The method of claim 20 , wherein the logging onto the created user account further includes logging onto the dynamic linked library from a LogonUser API.
23. The method of claim 13 , wherein the forcing the web browser to use the https protocol further includes receiving an X.509 certificate from the web server including a host name of the web server in a subject category and a signature from a Certificate Authority.
24. A system comprising: a web server; a computing workstation for accessing a web browser; memory storing instructions, which, when executed by one or more processors in the computing workstation, causes the one or more processors to perform operations comprising: configuring a limited-functionality user account on the computing workstation to impose restrictions on capabilities of the web browser, where the restrictions on capabilities of the web browser are imposed by an executable file wrapped about the web browser; configuring a dynamic linked library to, upon a user affirmatively indicating forgetting a password or other credential, log onto the limited-functionality user account to launch the restricted-capability web browser toward the web server; and whereby the user can change the password or other credential for later logging-on to the workstation in a capacity without the limited-functionality user account and the restricted-capability web browser.
25. The system of claim 24 , wherein the limited-functionality user account is configured to force the web browser to use an https protocol as part of the imposed restrictions.
26. The system of claim 25 , further including a registry configured to be read by the executable file, the registry storing a location of the web server for pointing the restricted-capability web browser toward upon launch.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
February 6, 2012
August 12, 2014
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.